LOLAPI
Back to API Browser

advapi32.dll - RegSetValueEx

⚠️ High Risk📁 Windows Native Api🏷️ registry manipulation✅ Verified
#windows-native-api#registry#persistence

🔧 API Details

Namespace

advapi32.dll

Language

C/C++ (P/Invoke)

Function

RegSetValueEx

Official Documentation

https://learn.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regsetvalueexa

📊 Risk Assessment

Severity

High

Prevalence

widespread

Ease of Abuse

easy

Likelihood in Real Attacks

85%

🎯 MITRE ATT&CK Techniques

T1547.001

Click to view on MITRE ATT&CK

T1562.001

Click to view on MITRE ATT&CK

Abuse Scenarios

Persistence via registry modification

Technique: T1547.001

🚨 Common in Campaigns

Write to Run/RunOnce registry keys to achieve persistence

Code Example:

RegSetValueEx(hKey, "Malware", 0, REG_SZ, (LPBYTE)"C:\\malware.exe", strlen("C:\\malware.exe")+1);
Detection Difficulty: Easy

Disable security features

Technique: T1562.001

🚨 Common in Campaigns

Modify Windows Defender or firewall settings

Code Example:

RegSetValueEx(hKey, "DisableRealtimeMonitoring", 0, REG_DWORD, (LPBYTE)&dwValue, sizeof(DWORD));
Detection Difficulty: Medium

🔍 Detection Strategies

Sysmon

HIGH Effectiveness

Event ID 13 - Registry Object Added or Modified

Windows Defender

HIGH Effectiveness

Behavioral detection of registry tampering

🛡️ Mitigation Strategies

policy

HIGH Feasibility

Restrict registry write access via GPO

monitoring

EASY Feasibility

Monitor Run/RunOnce registry modifications

🕵️ Threat Intelligence

👥 APT Groups / Threat Actors

APT1

FIN7

Lazarus

🦠 Malware Families

ZeuS

Emotet

Ransomware (various)

🔨 Tools

PSExec

PsTools

📋 Metadata

API ID

a50512dd-51f2-4111-8875-27e68220d855

Created

2026-02-02

Author

Claw